The PRISM Scandal: Cloud Computing Steps Back into Reality

What future is there for cloud computing after the PRISM scandal? For lawyers who specialize in the latest technology, Henri Leben and Benjamin Gallic, the information economy risks suffering from the revelations of Edward Snowden because without trust, there is no data and without data, there is no chance to monetize it.

While the negotiations on the free trade treaty have just begun between the U.S. and EU, the PRISM scandal could call into question this trans-Atlantic commercial cooperation and relaunch the debate on the protection of personal data. The power of enterprises, such as Facebook or Google, rests on this collection of data but also on the trust that users have in the preservation of the confidentiality of this data. If citizens’ data, or equally that of European businesses, are accessible to U.S. government authorities, this issue is no longer simply ethical for Europe but also economic.

A Program under the Aegis of the Protect America Act

Revealed by a former National Security Agency employee — now a fugitive — the PRISM scandal has not finished taking its toll on relations between Europe and the United States. To jog our memory, let us remind ourselves briefly that behind this acronym hides the program put into place by U.S. authorities, permitting them to demand the transferal of details about people living outside the U.S. from communications companies.

As this program, which operates within the framework of the Protect America Act of 2007, raises obvious questions regarding the protection of privacy and the respect of fundamental rights, then its economic consequences should not be neglected.

A Recent Case that Illuminates the PRISM Scandal

Legal context: So far, we know very little of the legal context in which the U.S. authorized the implementation of the PRISM program. However, a decision dated Aug. 22, 2008, made by the U.S. court competent to review the monitoring of foreign communications, was made public and helps identify the legal scheme implemented through PRISM.

Seized by U.S. authorities in a request for access to communications from abroad, a telecommunications operator (most likely Yahoo — the name of the applicant having been classified as confidential) sent an appeal to the Foreign Intelligence Surveillance Court. Because the FISC rejected the applicant’s appeal, it was submitted to the review court, whereby the Aug. 22, 2008 decision was made public.

Following the terms of traditional legal reasoning, the court compared the interests protected by the Protect America Act provisions with possible infringements on American constitutional interests.

By Law US Authorities Can Request Access to Communications Abroad

In this case, the controversial provisions of the Protect America Act were those allowing U.S. authorities to demand access to communications from abroad from communications providers without having to produce a warrant issued by a judge. A priori, such an arrangement appears to violate the Fourth Amendment, which requires the issuance of a warrant listing the goods that may be seized in a precise manner — a warrant that can only be issued based on elements rendering probable a violation of the law.

Having examined the arguments invoked by the different parties, the court surmised that regarding the need to protect national security, the Protect America Act provides sufficient safeguards to limit the risk of unjustified damages to the interests of individuals. Therefore, the appeal was dismissed and the applicant forced to provide access to information from nonresidents of the United States.

Trust: The Essential Component in the Trading of Data

It is clear from this case that a European company that transfers personal data of its customers to a U.S. company no longer has any guarantee of confidentiality. However, as stressed by European Commissioner Viviane Reding, “It is only when consumers can ‘trust’ that their data is well-protected that they will continue to entrust businesses and authorities with it.” In other words, trade in personal data is dependent on consumer confidence in the recipients of such data.

To reassure customers and users, the EU and U.S. signed the “Safe Harbor” agreement in 2001. This agreement aims to supervise and secure the transfer of personal data between the two signatories, ensuring “adequate protection” within American companies (according to the European Directive of 1995).

The Monetization of Personal Data Based on the Cloud

However, this system relies on the will of participating U.S. companies, which certify themselves as meeting the level of personal data protection required by communitarian legislation, while simultaneously being compelled to comply with U.S. obligations to supply such data.

The “Big Four” — Google, Apple, Facebook and Amazon — whose business models incorporate much of the collection, management and trade of personal data through their own advertising agencies, have joined the “Safe Harbor.” The economy of the monetization of personal data and customized advertising is based mainly on the system of the cloud. According to the “Vocabulary of Computers and the Internet,” published in The Official Gazette on June 6, 2010, the cloud is “a way of processing data from a client via the Internet and taking the form of services provided by a supplier.”

Data that Is Difficult To Locate

European consumers of the “Big Four” therefore use services, often American, derogating from communitarian rules on protection. Moreover, the data stored on the cloud are often transferred daily from country to country, depending on the storage capacity of the dedicated servers, which make it very difficult to locate and, therefore, to regulate its activity.

The PRISM scandal shows that companies based in the U.S. are required to pass onto the competent U.S. authorities the personal data collected from their customers. This finding may lead to an undermining of the very concept of “Safe Harbor” and undermines the trust relationship established between European citizens and U.S. companies.

In Order To Protect Data, Give Priority to the Cloud ‘Made in France’

Indeed, some flaws are tainting the “Safe Harbor” agreement. First, through the Patriot Act and Homeland Security Act of 2002, the legal framework provides the U.S. government access to the data transmission business in the name of the fight against terrorism and cybercrime. Moreover, the PRISM scandal also illustrates that illegal recordings of personal data can be institutionalized without the people concerned being informed.

If European customers no longer have a guarantee of the protection of their personal data, the information economy is very likely to suffer. Now the alternative for users is to turn to online services benefiting from servers that are physically planted on our national soil (Cloudwatt de Orange/Thales, Numergy de SFR/Bull). Ensuring effective data protection, framed by French and European legislation, therefore becomes a high-ranking selling point.

The Crisis of Confidence Spills Over into Trade Relations

This crisis may also affect trade relations between the U.S. and France, influencing negotiations on free trade. If France has finally agreed to open discussions on the anticipated date despite the PRISM scandal, reluctance on the part of French politics and European Parliament may impede progress however.

As recalled by our president in his speech in Berlin on July 3, 2013, “There can be no initiation of trade negotiations without the initiation of talks and verifications — on the same date, at the same time — with the U.S. on U.S. intelligence activities in our country and the protection of private data.”